Guidance - Flash Vulnerability CVE-2015-5119

During the Hacking Team breach which came to light earlier this week, a large quantity of Hacking Team's internal data was posted online.  Some of this data pertained to a 0-day (a vulnerability which the vendor is not aware of) in Adobe Flash (versions 9 through to (CVE-2015-5119) which allows an attacker to execute code on a victims computer if they browse to a website with a malicious flash file embedded. 

Guidance - OpenSSL Vulnerability CVE-2015-1793

This morning, OpenSSL released details of a vulnerability (CVE-2015-1793) affecting OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1 for client connections; listening servers are unaffected unless they validate client certificates.  Anyone can issue themselves a certificate for any domain and the OpenSSL library will not notice, allowing someone to impersonate a server and pass TLS/SSL based checks.  The vulnerability allows an attacker to use a leaf certificate as if they were a Certificate Authority and issue rogue certificates to themselves. 

The Harms of Forced Data Localization

How we store data---and how we think about keeping our memories available over the long term---has changed in the last few years. The world has become better at keeping data secure and safe by distributing it to multiple continents. However, some leaders are calling for "national Internets"---censored, walled gardens set up to appease special interest groups that range from political factions, to property cartels, to religious police. Other leaders have taken a different tack, called forced localization; rather than blocking your communications, they want to require that all your data (and all the computers that handle it) be inside a single country: theirs, for whichever country they represent. These would be major changes to the structure of the Internet---changes that would harm both businesses and the general public.

Scarcity of Cybersecurity Expertise

Scarcity of cybersecurity experts is a real problem that can be quantified and described---but not one that can easily be solved. Limited resource availability, the basis for our entire economic system, is ordinarily a problem of finding raw materials or advanced machinery, not one of hiring the workers we need to defend our assets---but with more than one million cybersecurity positions unfilled worldwide, currently-identified cybersecurity needs could not be met if every employee at GM, Costco, Home Depot, Delta, and Procter \& Gamble became security experts tomorrow. Those one million positions span all industries, specializations, and requirements, and include approximately 25,000 non-military positions in the United States' federal civil service.

The Next Level

“That’s where the money is!”
– Attributed to Willie Sutton, Non-Traditional Withdrawals Specialist

Willie Sutton was quoted as having said the above (he denied coining the phrase) in response to the question, “Why do you rob banks?” At the time, it was an obvious choice; in a pre-networked world, value was primarily transmitted by moving physical objects around the world, whether they were bars of precious metalsmineral crystals, or slips of paper. A non-traditional account withdrawal, then, relied on transporting physical objects from point A (a location controlled by the bank) to point B (a location controlled by the attacker).